Canada's anti-spam law has teeth. Since 2017, the CRTC has handed out fines as large as $1.1 million CAD to a single company for CASL violations — and that wasn't a spam operation. It was a legitimate business that misread the consent rules. CASL cold email compliance is one of the most misunderstood areas in outreach, and the most common mistakes aren't the obvious ones. Most teams running Canadian cold email campaigns think they're compliant. A third of them aren't — and the gap is almost always express vs implied consent.
💡 TL;DR
CASL applies to any commercial email sent to a Canadian recipient — including cold outreach. You need either express consent (opt-in) or a valid implied consent basis before sending. Implied consent under CASL lasts only 2 years from a business relationship or 6 months from a public inquiry. Your email must include sender ID, mailing address, and an unsubscribe mechanism that works within 10 business days. Violations can cost up to $10 million CAD per incident for corporations. The safest infrastructure choice: pre-warmed inboxes with proper authentication like Litemail, with SPF, DKIM, and DMARC pre-configured, keeping your sending reputation clean while you manage consent compliance.
The Myth: CASL Bans All Cold Email to Canadians
It doesn't. That's the single biggest misconception about CASL cold email compliance, and it stops teams from running any Canadian outreach at all. CASL restricts unsolicited commercial email — but it provides a specific category called implied consent that covers a lot of legitimate B2B cold outreach situations. The key is knowing exactly when implied consent applies and how long it lasts.
Here's where most teams get it wrong. They assume "implied consent" means "we can email anyone who has a public email address." That's not what it means. Implied consent is specific and time-limited. Getting it wrong doesn't just mean low deliverability — it means legal exposure.
Consent Type | What It Covers | Duration | Documentation Required |
|---|---|---|---|
Express consent | Recipient actively opted in to receive commercial messages | Until withdrawn | Opt-in record with timestamp |
Implied — existing business relationship | Purchase, contract, or enquiry in the past 2 years | 2 years from last transaction | CRM record of relationship |
Implied — conspicuous publication | Contact published their email without a no-solicitation notice | Duration of relevance | Screenshot of publication + date |
Implied — enquiry or application | Recipient contacted you or applied within last 6 months | 6 months from enquiry | Inbound record with date |
No valid consent | Scraped list, bought contact, no relationship | N/A | N/A — don't send |
What CASL Actually Requires in Every Cold Outreach Email
Every commercial electronic message sent to a Canadian recipient — regardless of consent type — must include three things. Missing any one of them makes the message non-compliant even if you have valid consent.
Sender identification. The email must clearly identify who is sending it — your name or your company name. "From: J. Smith" without company context doesn't cut it if recipients can't identify the business.
A valid mailing address. A physical postal address, PO Box, or registered mailing address. This must be accurate and current. A fake or outdated address is a CASL violation on its own.
A working unsubscribe mechanism. Must be easy to use, clearly described, and must take effect within 10 business days. If someone unsubscribes and you email them again within 10 business days, you're in violation — even if it was a sending tool error.
In practice, this means your cold email signature needs more than a name. A recruitment consultant in Toronto running outbound for client mandates needs their firm's full mailing address and a working unsubscribe link in every message — including the first touch.
The Grey Areas That Actually Trip Teams Up
You might be thinking — but what about B2B exceptions? Here's why that doesn't change the answer the way most people hope it does.
CASL does not have a blanket B2B exemption. There's no carve-out that says "if you're emailing a business contact, CASL doesn't apply." The law applies to any commercial electronic message sent to a Canadian electronic address. B2B outreach is included. The exceptions that exist are narrower than most teams realise.
The "conspicuous publication" exception
If a person has published their contact information in a public directory, on their website, or in a professional profile — and they have not included a statement that they don't want unsolicited commercial messages — you have implied consent to contact them on topics relevant to their business role. This is the most commonly cited exception for cold outreach to Canadian contacts. But "relevant to their business role" is not a free pass. Emailing a CFO about a B2B accounting tool? Probably relevant. Emailing the same CFO about office furniture? Less clearly so.
The 2-year clock on business relationships
If someone was a customer or had a documented business relationship with you within the past 2 years, you have implied consent. But the 2-year clock resets only from the last transaction or interaction — not from when the relationship started. A client who stopped buying from you 26 months ago is outside the implied consent window. Most CRMs don't flag this automatically. You need to check it manually or build a consent-expiry workflow.
Transactional vs commercial messages
CASL distinguishes between transactional messages (order confirmations, account alerts, service updates) and commercial messages (anything promoting a product or service). Transactional messages don't require consent. But adding a sales pitch or upsell offer to a transactional email turns it into a commercial message — and consent rules apply. This trips up SaaS teams who embed cold offers in customer service replies.
Your CASL Cold Email Compliance Checklist for 2026
Before sending any campaign to Canadian contacts, run through this. It's not exhaustive legal advice — get a lawyer for that — but it covers the operational failures that generate the most CRTC complaints.
✅
Document your consent basis for every contact
For every Canadian contact, record whether your basis is express consent, implied-business-relationship, or conspicuous publication. Include the date the consent was established. If you can't document it, you shouldn't be sending to that contact.
✅
Set consent expiry reminders in your CRM
Implied consent from a business relationship expires after 2 years. Implied consent from an enquiry expires after 6 months. Build date-triggered alerts in your CRM so contacts move to "requires re-consent" status before the window closes — not after you've already sent a non-compliant message.
✅
Include all required message elements
Every commercial email must carry: sender name and business, physical mailing address, and a working unsubscribe link. Test your unsubscribe mechanism monthly. A broken unsubscribe link discovered during a CRTC investigation is a standalone violation regardless of your consent documentation.
✅
Honour unsubscribes within 10 business days
This is non-negotiable. Set up suppression list sync between your unsubscribe mechanism and your sending tool so it happens automatically — not through a manual process that someone might forget. Automated suppression is the only reliable way to meet the 10-day deadline at scale.
✅
Verify your sending infrastructure is clean
CASL compliance doesn't protect you from spam filter placement. Keep your spam complaint rate under 0.08% — Google's published safe threshold — and use pre-warmed inboxes with clean IP history. Litemail's US and EU dedicated IPs with pre-configured SPF, DKIM, and DMARC mean compliance-ready infrastructure from day one.
What Happens When CASL Compliance Breaks Down
The CRTC doesn't chase every small business that sends a cold email. But it does investigate complaints — and complaints come from recipients, not regulators. One motivated unsubscribe who files a complaint can trigger an investigation that surfaces systemic issues. That's where the fines come from.
The 2017 case against Compu-Finder — $1.1 million CAD — came from a pattern of sending commercial messages without valid consent and failing to provide functional unsubscribe mechanisms. Not from one rogue email. From a pattern that a single complaint exposed.
In practice, the risk scales with volume. A 3-person agency sending 50 emails to Canadian contacts per week with sloppy consent documentation is low-risk in terms of complaint volume. A 20-person agency sending 5,000 emails per week with the same documentation problems is a different conversation. Volume amplifies both the compliance gap and the complaint probability.
One more thing that's commonly recommended but wrong: adding a "this is not spam" disclaimer to the bottom of cold emails. That phrase carries zero legal weight under CASL. What matters is documented consent, proper sender identification, and a working unsubscribe mechanism. The disclaimer actually signals to spam filters that the sender knows the message might look like spam.
[INTERNAL LINK: cold email deliverability setup → /cold-email-infrastructure-setup]
[INTERNAL LINK: email warmup for new domains → /email-warmup-guide]
[EXTERNAL LINK: CRTC CASL compliance page → crtc.gc.ca/eng/internet/anti.htm]
Why Infrastructure Matters for CASL-Compliant Outreach
Compliance and deliverability are separate things — but they're connected. A perfectly CASL-compliant email that lands in the spam folder achieves nothing. And a message that hits the inbox but lacks a working unsubscribe mechanism is non-compliant the moment it arrives.
The teams running CASL-compliant cold outreach successfully in 2026 have both sorted. They manage consent documentation at the CRM level and manage deliverability at the infrastructure level. Litemail's pre-warmed inboxes — available in Google Workspace and Microsoft 365 at $4.99 per inbox per month — handle the infrastructure side. SPF, DKIM, and DMARC pre-configured means no authentication gaps that drag deliverability and inflate complaint rates.
Higher deliverability means fewer spam complaints. Fewer spam complaints means less CRTC exposure. The connection is direct.
[INTERNAL LINK: pre-warmed inboxes for outreach → /pre-warmed-inbox-cold-email]
[INTERNAL LINK: CASL email compliance guide → /casl-compliance-email]
Key Takeaways
CASL does not ban all cold email to Canadians — but it requires either express or valid implied consent before sending any commercial message.
Implied consent from a business relationship lasts only 2 years; implied consent from an enquiry lasts only 6 months — track these expiry dates in your CRM.
Every commercial email to a Canadian recipient must include sender name, physical mailing address, and a working unsubscribe link — all three, every time.
Unsubscribe requests must be honoured within 10 business days — automate suppression list sync so this never depends on a manual process.
The "conspicuous publication" exception lets you email contacts who've published their address publicly — but only on topics relevant to their business role.
Adding a "this is not spam" disclaimer carries zero legal weight under CASL and may trigger spam filters. Don't do it.
Keep spam complaint rate under 0.08% — clean infrastructure and pre-warmed inboxes reduce complaints and reduce CRTC exposure simultaneously.
Frequently Asked Questions
Does CASL apply to B2B cold email sent to Canadian businesses?
Yes. CASL applies to any commercial electronic message sent to a Canadian electronic address — including B2B outreach. There is no blanket B2B exemption. You need either express consent or a valid implied consent basis (existing business relationship, conspicuous publication, or recent enquiry) before sending to any Canadian contact, business or personal.
What is implied consent under CASL and how long does it last?
Implied consent covers three main scenarios: an existing business relationship (lasts 2 years from last transaction), a recent enquiry or application (lasts 6 months), or conspicuous publication of contact information without a no-solicitation notice (duration of relevance). Once implied consent expires, you need express opt-in to continue sending commercial messages to that contact.
What must every CASL-compliant cold email include?
Every commercial electronic message must include: clear identification of who is sending (name and business), a valid physical mailing address (postal address or PO Box), and a working unsubscribe mechanism that's easy to find and use. Unsubscribes must be processed within 10 business days. Missing any one element makes the message non-compliant regardless of consent documentation.
What are the fines for CASL violations?
Fines under CASL can reach $1 million CAD per violation for individuals and $10 million CAD per violation for corporations. The CRTC has enforced fines as high as $1.1 million CAD in a single case. Fines scale with the nature of the violation, the volume of non-compliant messages sent, and whether the violation was deliberate or negligent.
Can I email someone I met at a networking event under CASL?
Possibly — if they gave you their business card and their role makes your message relevant to their business. The CRTC considers business card exchange at a professional event as a form of implied consent for relevant commercial messages. But document the context (event name, date, how contact was made) in case of a complaint. "Relevant to their business role" is the key qualifier — a pitch entirely unrelated to their work is harder to defend.
Does CASL compliance affect email deliverability?
Indirectly, yes. CASL-compliant outreach — with proper consent, lower unsubscribe friction, and relevant targeting — tends to generate fewer spam complaints. Spam complaint rates directly affect deliverability: keep yours under 0.08% to stay in Google's safe zone. Cleaner lists built on valid consent perform better in spam filters because recipient engagement signals are stronger.
Do I need a lawyer to run CASL-compliant cold outreach?
For small-volume outreach with straightforward implied consent scenarios, a lawyer isn't strictly necessary if you understand the rules well. But for agencies managing outreach across multiple clients, or teams sending to large Canadian contact lists, legal review of your consent documentation and process is worth it. The operational risk at scale justifies the cost of getting a proper compliance review done once.
What's the difference between CASL and CAN-SPAM for cold email?
CAN-SPAM (US law) is opt-out — you can send commercial email without prior consent as long as you provide an unsubscribe option. CASL (Canadian law) is opt-in — you need prior consent (express or implied) before sending. CASL is significantly stricter. If you're sending to both US and Canadian contacts, you need to segment your list and apply CASL rules to Canadian addresses regardless of where your business is located.
